Hackers are reportedly exploiting a serious unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server, which could allow them to hijack devices and deploy malicious software. The issue affects the centralized content management system (CMS) used to remotely manage Samsung’s digital signage displays, utilized widely in settings such as retail stores, airports, hospitals, corporate buildings, and restaurants.
The vulnerability, identified as CVE-2024-7399, was first disclosed publicly in August 2024, following a fix in version 21.1050 of the software. Samsung characterized the flaw as stemming from an improper limitation on the pathname to a restricted directory, enabling attackers to write arbitrary files with system-level permissions.
Security researchers from SSD-Disclosure made headlines on April 30, 2025, by publishing a detailed write-up regarding the vulnerability, along with a proof-of-concept (PoC) exploit. This exploit allows for RCE on the server without authentication, utilizing a JSP web shell. By uploading a malicious .jsp file via an unauthenticated POST request, an attacker can exploit path traversal techniques to set the file in a web-accessible zone, enabling them to execute arbitrary OS commands.
Reports from Arctic Wolf indicate that a few days post the PoC’s release, the CVE-2024-7399 flaw is already being actively exploited in the wild. They cautioned that the low barrier to exploitation, combined with a publicly available PoC, would likely motivate threat actors to target this vulnerability vigorously. Moreover, threat analyst Johannes Ullrich confirmed that a variant of the Mirai botnet malware is leveraging this vulnerability to take control of devices.
In light of these developments, system administrators are urged to take immediate action to mitigate risk by upgrading to Samsung MagicINFO Server version 21.1050 or higher.